The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Tunnel-less encrypted Virtual Private Networks (VPNs) use a group key to add confidentiality and/or integrity protection to packets, within a VPN, that are private to an enterprise or other organization using the VPN. An example of a technology that can be used to establish tunnel-less encrypted and/or integrity-protected VPN is Group Encrypted Transport VPN, or GET VPN, commercially available from Cisco Systems, Inc., San Jose, Calif. Data packets are encapsulated as Internet Protocol security (IPsec) packets but the outer IP header holds the source and destination host addresses rather than the addresses of IPsec gateways. Also, in a tunnel-less VPN, one VPN gateway does not necessarily know the addresses of the other VPN gateways in the network. A benefit of a tunnel-less VPN over traditional “tunneled” VPNs is that an encrypted packet can be routed according to the service provider's route table. Thus, an encrypted packet can take advantage of redundant routes through the service provider to the destination. That is, packets encrypted by any customer edge (CE) device are decrypted at any receiving CE device, depending on how routing in the private network forwarded the encrypted packet. The use of group security enables a level of redundancy and scalability not economically achievable with the use of Internet Key Exchange (IKE)/IPsec tunnels.
In GET VPN, all VPN gateways share the same group key. An attacker successfully penetrating any GET VPN gateway may find the opportunity to extract the group key used by all GET VPN gateways, and thus can impersonate any GET VPN gateway and/or can derive the plain-text for any intercepted packet sent as part of the group. However, this risk is mitigated within many private networks because the CE devices often reside in customer premises, and are physically secured. Notwithstanding, in some cases where routers are not adequately physically secured or are placed on premises not controlled by the system administrator, use of a single group key is not sufficient. Thus, there is a need to increase the security of communications between the GET VPN gateways by mitigating these risks.